Our shop has identified several reasons why releasing our software solutions to the open source community would be a good idea. However, there are several reasons from a business stand point why converting our shop to open source would be questioned. I need help from anyone out there who has gone through this transition, or is in the process. Specifically a government entity.

About our shop:
- We develop and support web and client applications for the local law enforcement community.
- We are NOT a private company, rather a public sector entity

Some questions that tend to come about when we have this discussion are:

We're a government agency, so isn't our code already public?

How do we protect ourselves from being 'hacked' if someone looks into our code?
(There are obvious answers to this question like making sure you don't hard code passwords, etc. However, the discussion needs to consider an audience of executives who are very security conscience.)

3 Answers
3

No, I'm afraid I don't know of a govt. sector company converting to open source. Although the place to poke into might be MITRE, since they have a very interesting dynamic as a place that supports government contracts, does research and works for the public good. If anyone has gotten into this sphere, I think it would be MITRE.

Things I'd think about:

ownership of existing code is defined by your contracts. It depends on how you've set up your contracts in the past in terms of what rights you have to release your code as open source. Do not go past GO, go directly to lawyers.

security - there's two philosophies:

The more eyes the better - in a true open source project, you wouldn't be the only contributors. Theoretically, the number of good guys who want to contribute to using the product successfully will outwiegh the bad guys who want to exploit flaws. If the competence and abundance of good guys trumps bad guys, then you have a good formula for maintiaining a secure software baseline. This general philosophy is argued by a lot of the big names in the security business.

Protect secrecy at all costs - a basic assumption that you have enough in house experts that have been vetted by your organization that your closed organization will trump the hackers in brilliance and dilligence. This hasn't worked so well for Microsoft, but it's the policy by which a number of government agencies operate. I do know of situations where open source cannot be used because it's now public and the theory is that something which is known well to the hacker will be easier to hack than something that the hacker has never seen, because the development was done in a closed circuit where nothing leaked.

I am not going to make a judgement call on that one. In fact, I think the metrics are un-learnable, because I believe that ultimate examples of the second path are secret enough that stastics regarding the number of times that these secret systems have been hacked will never be made available to the masses. So how can you compare open source vs. secret development? The best you can do is compare open source to private sector development.

Lastly - the business -

Probably most important is - is this right for you? If you have been building products and growing them across multiple customers, then your move to open source will in some ways be a move from product development to solution develpment and consulting. You'll want to consider both technical issues - like how do you manage your code base if outside parties are contributing things you don't necessarily want in your baseline? And you'll have to change some of your business model, since you will need to explain to your customers how you are of value, even when you code is on the web for free.

I think these things are doable - but I think that's the biggest thing to consider - you want to still have a job when you are done, and you'll have to get your whole business line involved in creating the solution.

bethlakshmi, thank you very much for your thougths! I took a quick peak at mitre.org and am very intrigued by their business model. I will definitely follow-up with them. Regarding - the business - we are not under any contracts for the work that is performed. Our shop is a public agency, and our projects are prioritized by local law enforcement agencies (LEA's). Think of it as the LEA's having in-house development instead of purchasing 3rd party software. Our ultimate goal would be for other LEA's to use similiar tools so that data sharing could be a true reality.
–
Rob OeschJan 17 '11 at 18:41

Depends on your country and branch of government, but in practice: No.

I personally believe it's better to have your code exposed to people who can catch the security holes you missed and fix them, even if that means others could take advantage of them. At the end of the day you'll have more secure code.

This is not your decision to make - its for the management up the chain.

You have to explain what the implications and ramifications are of open source development, including "giving away your intellectual property". (Mislead them about anything any they will crucify you - and rightly so).

Only if you have approval from the people who have their butts on the line should you be doing this. Usually (especially) in a public service organisation they are also the people who pay your salary.

And make sure if you get approval that you have it in writing. And from somebody high up enough to actually have the power to make the decision. (The more senior developer in the seat next door is probably not sufficiently authorized).

How exactly do you know its not his decision to make? Or that he's not involved/tasked with making it?
–
GrandmasterBJan 14 '11 at 23:10

A public service code cutter or their manager (asking this question on this forum) would be extremely unlikely to have the authority to make a decision like this. There will be somebody higher up who will have to decide. I've been there many years ago - in a goverment organisation - releasing software for no fee. There is always somebody above who needs to know, and who will get (or know how to get) the right legal release process arranged - if at all.
–
quickly_nowJan 15 '11 at 0:42

quickly_now and GrandmasterB, thank you for your responses. I don't want to get into a huge discussion about our organizational structure, but you are both correct. I oversee the Information Technology Department for our agency, and will be the person working directly with our legal department to ultimately pitch this idea to a board of executives. My team is supportive of this idea, and they now need me to represent their interests to the non-technical decision makers (with me being one of the technical decision makers). My hope is that others have experienced this same challenge.
–
Rob OeschJan 17 '11 at 18:28